SANS Penetration Testing

[Editor's Note: Some things I work on are the result of ten, thirty, or one-hundred minutes of effort. Others are the result of six months or a year of work (such as my office tour). This blog is the result of over a year's work by not only me, but also John Strand, Josh Wright, Kevin Johnson, Steve Sims, and many others).

In each of the seven SANS Penetration Testing Curriculum courses, Day 6 is a Capture the Flag (CtF) event, allowing students to pull together their experiences from the previous five days into a full-day exercise that models real-world penetration test activities. For about a year now, we've been rolling out course-specific CtF challenge coins as a prize for the noteworthy accomplishment of coming in the Top five winners in each class. But, only a few people know the backstory of the SANS Pen Test Curriculum coins... until now. You see, there is a cipher embedded in each coin, and here's the story of how that came to be.-Ed.]

Several years ago, Rob Lee started giving away challenge coins to people he calls "Forensicators" (Given my delicate virgin ears, I blush every time I hear that word, by the way). Rob awards these really beautiful coins to people who do something special — write a blog post, ask a great question in class, write a tool, win a challenge in a class, and more. I've always thought his coins were a fantastic idea, and a wonderful reward for people who do great stuff. Rob was pushing me for years to create a pen test coin. "Where's _your_ coin, Ed?" he'd sometimes taunt, in that precious way only Rob Lee can muster.

But, while I loved what Rob did with the coins, I didn't want to just copy Rob's coin plan. So I thought about the situation for months, and how we could tie some sort of coin thing into the SANS Pen Test courses.

On Day 6, each Pen Test course has a Capture the Flag competition, and, for my courses, I'd always given out an autographed copy of my book as a prize. My publisher generously sent those books to me for free, as a marketing thing. I was really happy to get them. About 18 months ago, there was a staffing change at my publisher, and they told me "No more free books" (kinda like the "No free bugs" movement, only completely different). Buying books at the author's price was still a bit pricey ($30 each), so I bought some books myself as prizes while I started brainstorming other options.

During one of my morning walks, it hit me... my two problems (getting a coin for the Pen Test Curriculum to address Rob's taunting challenge, plus being kicked off of the free book gravy train for CtF prizes) could be used to solve each other, and we could add some fun and whimsy to the whole thing. The idea was to have a different prize coin for each SANS Pen Test class. Money-wise, we could give five prize coins away in each class for about the same price as the book.

And, instead of just 504, we'd have a different coin for each of the pen test classes, so people could collect them all! We'd give each course's coin a different theme, such as super heroes, ninjas, and spiders. The course's author could impart their own personality, wisdom, and humor into each coin. And, best yet, the coin imagery could be taken as a course icon. SANS has course icons for some of the other (non-pen-test) courses, but none for pen test courses. I didn't want a clip-art or stock image look for the course icons, so at that time I was working on a small project to try to come up with special course icons. That project was fail fail fail, as the artists were only creating garbage. But, the coin project also solved the logo problem too! Win-win-win.

In early 2012, I set about having an artist work on the 504 coin. We spent about a month going through ideas and drafts. Then, at RSA in Feb 2012, we had our final draft ready to send. I showed it to my friends and colleagues at the RSA conference, and they loved it! I was excited.

But, at that same RSA conference, when I showed the 504 coin image to John Strand, he said, "Really cool... and what is the challenge?"

I replied (and this quote is 100% accurate), "Wha???" Strand said back, "Well, this is a Skoudis thing so there must be some kind of challenge or puzzle built into the coin." Me: "Oh...uh... yeah. I'm working on that." I panicked. Strand was right, and I hadn't thought this through enough. It could be a hundred times better the way he suggested.

The coins were already in fabrication, and I needed to retrofit a challenge into the coin. Walking the streets of San Francisco, I thought long and hard. Then, it hit me — we could have a single phrase that weaves its way throughout each pen test course coin. Each coin would have a unique cipher for part of the phrase. People would have to solve all kinds of ancient, modern, and custom-created twisted ciphers from all of the coins to get the final phrase that pays. Then, we'd give the first person to win and decode all the coins a really exciting prize. I ran it by SANS management, and they were on board. This would be a big undertaking, rolling out eight coins over the space of a year, but lots of fun — with the ultimate embedded mystery in the coins themselves.

But, there remained the problem of the 504 coin not having an encoded message. I continued to think — and then, "Heeeeeey! We could bootstrap this by using the text on the back of the 504 coin as a reference to decode something." I don't want to give away how it works, but it is a little like a one-time pad based on a historical cipher.

With that problem solved and our plan in place, we got our first batch of 504 coins in Orlando in March 2012. They were a hit.

We got our first batch of 560 coins in Baltimore in April 2012. More excitement.

The 575 coin came in May 2012 in San Diego. Josh hired his own artist to do it, and it was AWESOME with a cool cipher, great theme (Gamera, the flying turtle monster that battled Godzilla), and inspired artwork. Next, the 542 coin arrived in June 2012 in Denver, with my artist working on spider ideas provided by Kevin Johnson and Lara Dawson. Then, the 660 coin appeared in DC at SANS FIRE in July 2012, done by Steve Sims' artist using a Conan the Barbarian theme.

We hit a snag. Our artists were pretty tapped for ideas, as were we. There were three more coins needed: 617, 642, and NetWars. It took a few months, but we finally got the NetWars coins done in the nick of time for the Tournament of Champions in December 2012. The Counter Hack Challenges guys and I created a custom cipher over Thanksgiving (at the same time we were working on the Miser Brothers' Holiday Hacking challenge) for that one. Then, the 617 coin debuted in January 2013 featuring another movie monster (that knife-headed monster Guiron from another Godzilla movie, via Josh's artist).

We are almost there with our final coin: the one for 642, which we just finished last week and will pass out starting in one month. That'll make 8 coins total, with the following themes (please click on the theme for a full view of the face of each coin):

Each coin includes on its face the course name, number, and logo, as well as some words about what the course is about. On the back, there's an inspirational quote congratulating the winner and challenging him or her to do great things. And, of course, there is a different cipher on each coin's back. I must say, it has been TREMENDOUSLY fun adapting historical ciphers and encodings to the coins, as well as creating our own fun ciphers from scratch.

But, not everyone wins a coin, and some people really like the images from the course and wanted something to take home. Even the people who won the coin wanted another way to represent their victory. So, we tried another experiment at SANS Vegas in September 2012 — we had little stickers made up with the coin images on them, to distribute to folks who took the course. When we went to pass them out, students went CRAZY for them. We gave them all away in a matter of minutes. We've been passing them out at selected conferences ever since. Oh, but the stickers DO NOT have the ciphers on them. If you want the ciphers, you have to win the coin (or use your wiles, wit, persuasion, and other more nefarious tactics) to determine those.

And, that's the story of the coins.

The story does continue, though — we're having T-shirts made up that show all 8 coins on the front (two rows of four coins), and then a mysterious coin-shaped silhouette lit from behind underneath. We hope to have those T-Shirts later in 2013. That way, students can wear the shirt and point to the coins they've won, and also point to the next one they plan to conquer. What's that 9th coin, in silhouette, you ask? Well, that's another mystery (our funk is multi-layered).

Oh, and we have one more thing up our sleeves for people who have taken our courses in the past, but perhaps didn't win a coin (either because we didn't have the coins at the time, or because they didn't win the CtF). I call this idea and event "Coin-A-Palooza". Just at two special events, if you have taken a given SANS Pen Test course before, your NetWars performance will allow you to earn coins for those courses you've taken before. People who get from Level 1 to Level 2 of NetWars will get a 504 coin (if you've taken 504 before... and we will be checking). If you go from Level 2 to Level 3, you can get a 542, 560, 573, or 575 coin of your choosing if you've taken those courses. If you go from Level 3 to Level 4, you'll get your choice of a 617, 642, or 660 coin. And, if you come in the top 5 spots of NetWars at the event, you get a NetWars coin. So, people will be able to pick up between one and five extra coins at the event.

I'd like to close by congratulating the victors of the various SANS Pen Test Courses. You folks have done something very special, and, as an instructor, it has been an honor working with you as you develop and apply your incredible skills. On behalf of all the SANS Pen Test Curriculum instructors, we'd like to thank you for your hard work, diligence, and achievement of excellence!

arnim

'' there is a different cipher on each coin's back"Hmmm, I just wonder because my 504 coin doesn't have a recognizable cipher on the back but some numbers in front which look like dates? Is that the cipher?

Jeff

Ed Skoudis

Jeff ''" great question. Unfortunately, we do not track the winners over the past 10 years of SANS courses, so we can't provide a coin. Winners who took the courses before we had coins received other prizes, such as an autographed book.But, your point is well made. You took a course, won the CtF, and now you'd like a shot at the coin. We thought long and hard about this, and we've got a way for you to do it! From November 7 to 14, we'll be running a special pen test hackfest event in Washington DC. During the evenings, we'll be running something I call "Coinapalooza". Here's how it works:For participants who have taken a given SANS course, but have not won the capture the flag challenge coin, this event will offer the ability to catch up on the coins by participating in the four nights of NetWars challenges. If you've taken 504 in the past (but didn't win the coin), and make it from NetWars Level 1 into 2, you'll earn the 504 coin! If you make it into Level 3, you'll get your choice of a 542, 560, or 575 coin, provided you've taken the associated course sometime in the past. Make it into Level 4, and you'll get your choice of a 617, 642, or 660 coin if you've had those classes! And, if you win NetWars, you'll get the NetWars coin. With Coin-a-palooza, you'll have an opportunity to win up to 4 challenge coins for your collection.For details, check out: http://www.sans.org/event/pen-test-hack-fest-2013

Ed Skoudis

Michael ''" great question! Each coin encodes and/or encrypts a single word. You can crack that code for that word with only the information on that coin. In other words, to break an individual part of the message, you need only one coin. Make sense?

David R

Hi Ed,I just followed the 504 course with David @LEXSI Paris i won (or p0wn ) the CTF and i was very happy to get 2 coins! very good for the challenge in my opinion.Regarding the solution for de-cipher still blocked on it''For the message on the back i was

Wil

Ed Skoudis

Wil ''" no need to submit the decoded message from individual coins. If you get the message from ALL the coins, though, please let me know! That would be AWESOME! If you really want to send me the individual coin decode, though, you can email me. I'll congrat you on that one coin, though.

Clark

Ed Skoudis

Clark ''" you need to crack the encrypted/encoded words from the original 8 coins mentioned in this article. Since the article was released, we do have additional coins that extend the challenge. The 561 (intense hands-on skills) and 573 (python for pen testers) coins bring us to ten coins total. Also, we've got a 760 coin (adv exploit dev) arriving soon (within a month or so), and a new 562 (CyberCity course) coin early next year. Each of those builds on the original challenge. But, the original challenge, manifested in 8 coins, still stands. Thanks for your interest!

Steve

Ed Skoudis

Steve ''" At NetWars Tournaments, we offer the NetWars coin to the top winners. We don't have a coin for NetWars Continuous, because it is open ended on time and there are ample hints for people to take to complete each challenge, meaning that it's not a competition really. Continuous is more of a teaching tool / learning environment.

Ed Skoudis

But, we do offer one specific event each year where you can earn coins for previously taken courses. We call it Coin-a-palooza, and offer it at the SANS Pen Test Hackfest. This year, it runs from Nov 13 to 20th. Lotsa great events planned for it. Check it out here: http://www.sans.org/event/sans-pen-test-hackfest-2014

David Bernal

Coins are an awesome idea, they are all very nice and with excellent designs. It would be very cool if SANS would give something to those that have achieved a given number of coins (such as three), such as a free exam attempts or discount codes for more certifications. That would be a great motivation!!